A Point Counting Algorithm for Cyclic Covers of the Projective Line

HAL Id: hal-01054645

https://hal.archives-ouvertes.fr/hal-01054645v2

Submitted on 22 Aug 2014

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

A Point Counting Algorithm for Cyclic Covers of the Projective Line

Cécile Gonçalves

To cite this version:

Cécile Gonçalves. A Point Counting Algorithm for Cyclic Covers of the Projective Line. Contemporary

mathematics, American Mathematical Society, 2015, Algorithmic Arithmetic, Geometry, and Coding

Theory, 637, pp.145. �hal-01054645v2�

Projective Line

Abstract. We present a Kedlaya-style point counting algorithm for cyclic covers y^r = f(x) over a finite field Fpⁿ withp not dividing r, and r and degf not necessarily coprime. This algorithm generalizes the Gaudry–G¨urel algorithm for superelliptic curves to a more general class of curves, and has essentially the same complexity. Our practical improvements include a sim- plified algorithm exploiting the automorphism of C, refined bounds on the p-adic precision, and an alternative pseudo-basis for the Monsky–Washnitzer cohomology which leads to an integral matrix whenp≥2r. Each of these im- provements can also be applied to the original Gaudry–G¨urel algorithm. We include some experimental results, applying our algorithm to compute Weil polynomials of some large genus cyclic covers.

1. Introduction

A cyclic cover of the projective line is a nonsingular projective curveC defined over Fpⁿ by the affine plane model

C:y^r=f(x),

wheref is a monic, squarefree degreedpolynomial andpdoes not divider. Count- ing points on, and more generally determining the zeta function of a cyclic cover is an interesting problem with many applications in number theory.

A lot of work has been done in point counting during the last three decades, providing efficient point counting algorithms for elliptic curves (r= 2 andd= 3).

The first deterministic polynomial time algorithm for counting points of elliptic curves was theℓ-adic algorithm of Schoof [Sch85]. It was improved by Atkin and Elkies to give the famous SEA algorithm (see [Sch95] for the details). Pila pro- posed a generalization of this approach to general abelian varieties [Pil90, Pil88], and Schoof-style algorithms have been implemented with success for hyperelliptic curves of genus 2 (r= 2, d≤6) [GS12, GKS11], but there seems to be no hope of a practical ℓ-adic point counting algorithm for d > 6 or r >2, since these al- gorithms are exponential in the genus. Other efficient point counting algorithms using canonical lifts or the AGM also seem limited to genus 1 and 2, and they are also exponential in logp[Sat00, GH00, Mes00, Mes02].

In 2001, Kedlaya [Ked01] published a point counting algorithm for odd degree hyperelliptic curves (r = 2, d = 2g+ 1) over finite fields of small characteristic p. This algorithm uses a lift of the Frobenius on Monsky–Washnitzer cohomology

2010Mathematics Subject Classification. Primary 14G05, 11G20; Secondary 14G15, 68Q25, 14G10, 11Y16, 14Q15.

Key words and phrases. Algebraic geometry, Number Theory.

The author was supported in part by DGA (D´el´egation G´en´erale de l’Armement), France.

1

(see [vdP86] for details) and is polynomial in the genus and the field degree, but linear in p (and hence exponential in logp). This complexity was improved by Harvey [Har07] in larger characteristic reducing the dependence to√p. Kedlaya’s algorithm has been extended to more general classes of curves including superelliptic curves [GG01], Ca,b curves [DV06] and nondegenerate curves [CDV06]. In the latter two cases, the algorithm is slower than for superelliptic curves of the same genus, because the curves involved are too much general to find a convenient basis of cohomology. This problem can be solved using deformation theory [CHV08]

which reduces the computation of the Weil polynomial of a Ca,b curve into the computation of the Weil polynomial of a superelliptic curve. This algorithm has been extended to hypersurfaces [PT13]. Minzlaff [Min10] improved the complexity of the Gaudry–G¨urel algorithm for superelliptic curves applying the improvements of Harvey. Tuitman [Tui14] has recently proposed a Kedlaya-style algorithm for general covers of the projective line. An alternate approach using Serre duality [BEd13] is available for smooth curves over finite fields and appears promising for the general case.

In this paper, we present a Kedlaya–style algorithm for cyclic covers of the projective line which runs in

Oe pn³d⁴r³+n²rd^ν+1 Xs

i=1

c^ν_i

!!

elementary operations, where the permutationj7→pⁿj modrof{1,· · ·, r−1}is a product of scycles of lengthsc1, c2,· · ·, cs;ν is the exponent in the complexity of matrix multiplication (2< ν <3), andOe is the Soft-Oh notation which ignores the logarithmic factors. Note that in the best case, which is precisely the case where the r-th roots of unity are contained inF_pⁿ, we haves=r−1 andci= 1 for 1≤i≤s, which leads to a complexity in O pne ³d⁴r³

elementary operations. In the worst case,s= 1 andc1=r−1, which leads to a complexity inO pne ³d⁴r³+n²r^ν+1d^ν+1 elementary operations. Note also that this approach is compatible with Harvey’s improvements so we can reduce the dependency inpto√pin larger characteristic.

This algorithm generalizes the Gaudry–G¨urel algorithm [GG01] from superel- liptic curves to general cyclic covers, following the approach of Harrison [Har12] for even-degree hyperelliptic curves. While our algorithm has essentially the same complexity as the Gaudry–G¨urel algorithm, we offer practical improvements includ- ing

• a simplified algorithm exploiting the automorphism ofC;

• refined bounds on thep-adic precision; and

• an alternative pseudo-basis for the Monsky–Washnitzer cohomology which leads to an integral matrix whenp≥2r.

Each of these improvements can also be applied to the original Gaudry–G¨urel al- gorithm.

The paper is organized as follows: Section 2 recalls the definition of cyclic covers with their main properties, Section 3 describes Monsky–Washnitzer cohomology for cyclic covers and the action of Frobenius. Section 4 gives a summary of our algorithm; in Section 5 we analyze the complexity of our algorithm. Section 6 proves the precision bounds to which we have to perform the computations in order to have an exact result (these bounds also apply to the Gaudry–G¨urel algorithm);

in Section 7 we study the use of another pseudo-basis which leads to a matrix with integral coefficients when p≥2r; the use of this basis slightly accelerates the computations. To conclude, Section 8 gives some numerical experiments.

2. Cyclic covers of the projective line

Definition2.1. A cyclic cover of the projective line is a nonsingular projective curveC defined overF_q by the affine plane model

(2.1) C:y^r=f(x),

where f is a monic, squarefree degreedpolynomial overF_q and the characteristic pofF_q does not divider.

Let

δ:= gcd(r, d).

A cyclic cover C : y^r = f(x) embeds naturally in the weighted projective space P ^r_δ,^d_δ,1

(see [Rei02] for details on weighted projective spaces), where it is a nonsingular curve withδpoints at infinity. The genus of the curve is

(2.2) g= (r−1)(d−1)

2 −δ−1

2 .

It is also equipped with an automorphism of orderr defined by ρr: (x, y)7−→(x, ζry)

where ζr is a primitiver-th root of unity inF_q.

Remark 2.2. Whenranddare coprime, thenδ= 1 andC is superelliptic.

Definition2.3. LetCbe a genusgcurve defined overF_q. The Weil polynomial P ofC is the characteristic polynomial of the q-th power Frobenius acting on the JacobianJ(C) ofC and has the form

P(t) =t^2g+a1t^2g−1+· · ·+ag−1t^g+1+agt^g+qag−1t^g−1+· · ·+q^g−1a1t+q^g, with|ai| ≤ ^2gi

q^i/2. We call the coefficients (a1, . . . , ag) the Weil coefficients ofC. The aim of any point counting algorithm is to compute the Weil polynomial of the given curve. The Weil polynomial determines the cardinality of the Jacobian, since #J(C)(F_q) =P(1). Since the Weil polynomial is the reciprocal polynomial of the numerator of the zeta function, it also determines #C(F_qk) (and #J(C)(Fq^k)) for allk >0.

3. Monsky–Washnitzer cohomology for cyclic covers and the action of Frobenius

Let C : y^r = f(x) be a cyclic cover of the projective line of genus g over F_q, with q=pⁿ and letddenote the degree off.

We focus on the case whereranddare not coprime, andf has no root inF_q. This is because ifranddare coprime, then we can simply apply the Gaudry–G¨urel algorithm to C. If f has a root αin F_q, then we can immediately reduce to the case where r anddare coprime. Indeed, let f1 be such that f(x) = (x−α)f1(x), h(x) =f1(x+α) andC^′ be the superelliptic curve defined overF_q by

C^′:y^r₁=x^d−1₁ h 1

x1

.

Then theF_q–isomorphism fromC^′ toC defined by (x1, y1)7−→

1

x1−α, y1

(x1−α)^d/r

allows us to apply the Gaudry–G¨urel algorithm toC^′to computeP(t) (the algorithm we describe below reduces to Gaudry–G¨urel in the superelliptic case). Note that in general,f has no root inF_q so we can’t use this trick.

Recall thatC hasδpoints at infinity. Their coordinates inP(^r_δ,^d_δ,1) are (3.1) P∞,k= [1 :ζ_r^k: 0] for 1≤k≤δ,

where ζr is a primitiver-th root of unity over F_q.

In any Kedlaya-style algorithm, we compute in the ring Z_q, which is the ring of integers of Q_q, an unramified extension ofQ_pof degreen. We have

Z_q∼=Z_p[x]/hQ(x)i,

whereQis an arbitrary lift toZ_pof a defining polynomial ofF_qoverF_p. The Galois group ofQ_q overQ_p is cyclic; its generatorσreduces modulo pto the p-th power Frobenius automorphism ofF_q.

The aim of our algorithm is to compute the action of Frobenius on the first Monsky–Washnitzer cohomology group ofC, denoted byH_MW¹ (C,Q_q), and defined by

H_MW¹ (C,Q_q) = (A^†dx+A^†dy)/dA^†

⊗^ZqQ_q,

where A^† =Z^†_q[[x, y]]/hy^r−f(x)i withf an arbitrary lift of degree d= deg(f) of f toZq andZ^†_q[[x, y]] is the ring of overconvergent series overZq, that is the ring of power seriesP

i,jai,jxⁱy^j whose radius of convergence is greater than one. This means that thep-adic valuations of the coefficients grows up at least linearly, that is

∃α, β∈R, α >0 such that ordp(ai,j)≥α|i+j|+β, ∀i, j.

Taking a lowbrow point of view, H_MW¹ (C,Q_q) consists of differential forms of C lifted to Z_q modulo the relations coming from the equation ofC and the fact that dφ≡0 for all rational functionsφ. See [vdP86] for more detailed explanations of H_MW¹ (C,Q_q).

The first thing to do is to determine a basis of H_MW¹ (C,Q_q). In order to get a basis which is easily described and convenient to compute with, we remove from C the ramification points of the projection map on the x-axisπ:C →P¹ defined by π: [x:y:z]7→[x:z]. Let Cebe the curve corresponding to C without the F_q- rational divisor formed by the dpoints on the x-axis and the δ points at infinity (which map to a single rational point ofP¹under π):

Ce=C \ n

(α,0)∈ C(F_q)|f(α) = 0o

∪n

P∞,k |k∈[1, δ]o .

The elements of H_MW¹ (Ce,Q_q) are the P

i∈Z,j∈Z(ai,jdx+bi,jdy)xⁱy^j. Using the equation of the curve and the relation

(3.2) ry^r−1dy=f^′(x)dx,

it follows that the elements of H_MW¹ (Ce,Q_q) are represented by series in the form X

0≤i<d,j∈Z

ai,jxⁱy^jdx. As Equation (3.2) gives rxⁱy^j+r−1dy = xⁱy^jf^′(x)dx for all i, j∈Z, and using the fact thatd

−r−j^r xⁱy^r−j

= 0 forj > r, we get (3.3) xⁱf^′(x)dx

y^j = ri

j−rxⁱ⁻¹ dx

y^j−r forj > r.

Ifj ≥0, then the relationy^r=f(x) implies that the elements ofH_MW¹ (Ce,Q_q) are represented by sums in the formP

0≤i<2d,1≤j≤rai,jx^{i dx}_yj. Usingd(rxⁱy^r−j) = 0,we get

(3.4)

rixⁱ⁻¹f(x) + (r−j)xⁱf^′(x)dx

y^j = 0 for 1≤j≤randi≥0.

As the degree inxof the expression above isd+i−1, it follows that Be=

xⁱdx

y^j |i∈[0, d−2], j∈[1, r]

is a basis of H_MW¹ (Ce,Q_q).

Proposition 6.1 of [vdP86] shows that working with Ceinstead of C enlarges the dimension of the first Monsky–Washnitzer cohomology group:

dim

H_MW¹ (Ce,Q_q)

= 2g+d+δ−1 = dim H_MW¹ (C,Q_q)

+d+δ−1.

The spaceH_MW¹ (Ce,Q_q) decomposes into a direct sum of r eigenspaces under the action of the automorphismρr: (x, y)7→(x, ζry) ofC:

• H_MW¹ (Ce,Q_q)¹, which corresponds to the fixed points ofρrand has dimen- siondwith basisn

x^{i dx}_yr |i∈[0, d−1]o

.This subspace comes from thed points removed from the affine part ofC on thex-axis.

• ther−1 spacesH_MW¹ (Ce,Q_q)^ζr−j of dimensiond−1, for 1≤j < r, with

basis

xⁱdx

y^j |i∈[0, d−2]

.

Observe that ρr

x^{i dx}_yj

=ζ_r^−jx^{i dx}_yj, so ρr has eigenvalue ζ_r^−j onH_MW¹ (Ce,Q_q)^ζr−j for any 1≤j≤r.

Let i: H_MW¹ (C,Q_q)֒→H_MW¹ (Ce,Q_q) be the embedding from H_MW¹ (C,Q_q) to H_MW¹ (Ce,Q_q). As i(H_MW¹ (C,Q_q))∩H_MW¹ (Ce,Q_q) = {0}, the space H_MW¹ (C,Q_q) is contained in the direct sum of the H_MW¹ (Ce,Q_q)^ζjr, for 1 ≤ j < r which has dimension 2g+δ−1 with basis

B=

xⁱdx

y^j |i∈[0, d−2], j∈[1, r−1]

.

ClearlyBdoes not correspond to a basis forH_MW¹ (C,Q_q) (since it containsδ−1 too many vectors). The space generated byB decomposes into a direct sum of two subspaces stable under the action of Frobenius. Letc:hBi →H_MW¹ (C,Q_q) be the map sending an element to its representative in H_MW¹ (C,Qq). As H_MW¹ (Ce,Qq) contains H_MW¹ (C,Q_q) and i(H_MW¹ (C,Q_q))∩H_MW¹ (Ce,Q_q)¹={0} (where i is the embedding from H_MW¹ (C,Q_q) toH_MW¹ (Ce,Q_q)), it follows that c is surjective. So we have the decomposition

hBi=H_MW¹ (C,Q_q)⊕ker(c).

So we will proceed into two steps: we first compute the action of Frobenius on the space generated byB, and then we remove an extra factor from its characteristic polynomial which corresponds to the action of Frobenius on the (δ−1)-dimensional subspace ker(c). Theorem 4.1 describes this extra factor. This is similar to Harri- son’s approach in extending Kedlaya’s algorithm to hyperelliptic curves with even degree [Har12].

Remark 3.1. The p-th power Frobenius maps the space H_MW¹ (Ce,Q_q)^ζrj to H_MW¹ (Ce,Q_q)^ζℓr for 1 ≤ j < r where ℓ=jpmodr. Thus, the matrix of the p-th power Frobenius map acting on B is a block matrix with exactlyr−1 non-zero blocks of sized−1. There is exactly one non-zero block on each row partition and each column partition.

We begin by computing the action of Frobenius on the elements ofB. Let τ =y^−r.

We can lift thep-th power Frobenius to differential forms by setting F(x) =x^p

and

F(y)^r=F(f(x)) so

F(y) =y^p 1 + F f(x)

−f(x)^p τ^p1_r (3.5)

=y^pX

i≥0

1/r i

F f(x)

−f(x)^pi τ^pi,

and

F(dx) =d(F(x)) =px^p−1dx.

Thep-th power Frobenius acts on the basis vectors as F

xⁱdx

y^j

=px^p(i+1)−1F(y)^−jdx (3.6)

=px^p(i+1)−1y^−jp(1 +pE(x)τ^p)^−j/rdx

=x^p(i+1)−1y^−jpX

k≥0

−j/r k

p^k+1E^k(x)τ^pkdx

=x^p(i+1)−1X

k≥0

−j/r k

p^k+1E^k(x)τ^pk+adx y^ℓ,

whereE(x) = F(f(x))−f(x)^p

p andjp=ar+ℓ. Applying a change of index, we obtain F

xⁱdx

y^j

=x^p(i+1)−1 X

k≥a,k≡amodp

p^k−pa+1Qk(x)τ^kdx y^ℓ.

After normalizing (using the equation ofC to remove all the terms with degree in xgreater than deg(f)), and using the fact thatQa = 1, we have:

(3.7) F

xⁱdx

y^j

= X

k≥k0,k≡amodp

p^k

−a p +1

Rk(x)τ^kdx

y^ℓ, wherek0≥a−

p(i+ 1)−1 d

with deg(Rk)< dfor allk >1.

We then apply two reduction steps described below, resulting from relations in cohomology, in order to express the image of each basis element as a linear combination of the elements ofB.

Red1: Decrease the degree inτ by at least one, using the formula (3.8) Rk(x)τ^kdx

y^ℓ =

Ak(x) + r

r(k−1) +ℓB^′_k(x)

τ^k−1dx y^ℓ,

where Rk =Akf +Bkf^′, coming from Equation (3.3). We apply (3.8) as many times as needed. Note that Ak and Bk exist because f, and thereforef are squarefree.

Red2: Given an expression of the form S(x)^dx_yℓ with S of degree m, use Equation (3.4) to decrease by at least one the degree ofSto at mostd−2 by subtracting some multiples of

(3.9) r(i−d+ 1)x^i−df(x) + (r−ℓ)x^i−d+1f^′(x) ford−1≤i≤m= deg(S) from S. We apply (3.9) as many times as needed.

We obtain a matrixMF, which is the matrix of thep-th power Frobenius with respect to B. We recover the matrix of theq-th power Frobenius which is

(3.10) M =MF·M_F^σ· · ·M_F^σn−1,

where σ is the p-th power Frobenius on Q_q and M_F^σ is the matrix obtained by applying σ to the coefficients of MF. Note that we can use the special block structure of MF to speed up the computation of M, which is a matrix composed of (d−1)×(d−1) blocks as well.

4. Adaptation of the Gaudry–G¨urel algorithm to general cyclic covers We want to compute the Weil polynomial of C. Once we have computed the characteristic polynomialχM, we need to remove an extra factor.

Theorem 4.1. The Weil polynomialP of C is P(t) = χM(t)

U(t) ,

where χM(t)is the characteristic polynomial of the matrix M corresponding to the action of the q-th power Frobenius with respect toB and

U(t) = Y

i|δ , i>1

(t^ki−q)^ϕ(i)ki ,

where ki is the order of qinZ/ϕ(i)Z andϕis the Euler totient function.

Proof. We follow the approach of [Har12, Lemma 3.1].

Let α1,· · ·, α2g denote the roots ofP and Se =α^e₁+α^e₂+· · ·+α^e_2g. LetRe

denote the number of roots off inF_q^e andIethe number ofF_q^e-points at infinity.

Finally, let

L=π(Ce), where π:C →P¹ is the projection on thex-axis.

For everye >0, we have

#C(Fq^e) = (q^e+ 1−Se),

#Ce(Fq^e) = (q^e+ 1−Se)−Re−Ie, and

#L(Fq^e) = (q^e+ 1)−Re−1.

The Lefschetz trace formula forCesays that for eache >0, (q^e+ 1−Se)−Re−Ie= Tr((qF⁻¹)^e|H_MW⁰ (Ce,Q_q))

−Tr((qF⁻¹)^e|H_MW¹ (Ce,Qq)¹)

−X

j6=0

Tr((qF⁻¹)^e|H_MW¹ (Ce,Q_q)^ζr−j) while the trace formula forLsays that for eache >0,

(q^e+ 1)−Re−1 = Tr((qF⁻¹)^e|H_MW⁰ (Ce,Q_q))−Tr((qF⁻¹)^e|H_MW¹ (Ce,Q_q)¹).

Subtracting the first equation from the second, we get X

j6=0

Tr((qF⁻¹)^e|H_MW¹ (Ce,Q_q)^ζ−rj) =Se+Ie−1.

The sum of the e-th powers of the eigenvalues of qF⁻¹ on ⊕jH_MW¹ (Ce,Q_q)^ζr−j is Se+Ie−1.

Let

V(t) = Y

i|δ,i>1

(t^ki−1)

ϕ(i) ki ,

whereki is the order ofqinZ/ϕ(i)Zandϕis the Euler totient function. Then the e-th power sum of the roots ofV(t) isIe−1 for eache >0, so the e-th power sum of the roots ofV(t)P(t) isSe+Ie−1, or eache >0. Then

P(t)V(t) =χqF⁻¹(t), and hence

P(t)U(t) =χM(t).

Remark 4.2. Note that in the superelliptic case, the fact that δ= 1 tells us thatBcorresponds to a basis ofH_MW¹ (C,Q_q). So in the superelliptic case we do not have to remove an extra factor from the characteristic polynomial of the Frobenius map acting onB: the characteristic polynomial is the Weil polynomial ofC.

In practice, we want to compute the Weil polynomial of C over Z_q, but p- adic numbers are infinite series so algorithmically we are forced to work with finite approximations. In practice, we work up to a certain precisionN: that is, modulo p^NZ_q for some suitably large value ofN.

The Weil bounds (see Definition 2.3) tell us that if we do the computations to sufficient precision then we can recover the Weil polynomial exactly. As we lose some digits of precision during the reduction steps, we have to enlarge these bounds.

Theorem 4.3 states the precision bounds and its proof can be found in§6.

Theorem 4.3. In order to compute the Weil polynomial of C exactly, we have to do the computations with the basis B up to precision

N= min

n∈N

n−

log_p

p(rn−1)−r

≥N0+

log_pdp(r−1) +r δ

where

N0=

log_p

2 2g

g

q^g/2

.

We will carry out our computations modulop^N, whereN is defined in Theorem 4.3. At the end of the algorithm, we will have determined the Weil polynomial ofC modulop^N0, which is sufficient to determine it exactly, because of the Weil bounds.

Algorithm 1,CyclicCoverWeilPolynomialcomputes the Weil polynomial of a cyclic coverC defined overF_q by the equationy^r=f(x). Note that Steps 1 to 5 of Algorithm 1 reduces to Gaudry and G¨urel’s algorithm.

Step 1 computes the precisionN stated by Theorem 4.3. In Step 2, we compute F(y)⁻¹modp^N using Equation (3.5). Indeed, if R= 1 + (F(f(x))−f(x)^p)τ^p, thenF(y)⁻¹=y^−pR^−−1r , wheref is an arbitrary degreed= deg(f) lift off toZ_q and τ =y^−r. Note that we use a Newton iteration to compute the inverse of the r-th root ofR up to precisionN. In Step 3, we compute the action of Frobenius on the vectors ofB given by Equation (3.6). We then apply Algorithm 2,Reduc- tionCohomology, to reduce a differential form back to a linear combination of vectors ofBusing the reduction rules Red1 and Red2 described above in Equations (3.8) and (3.9). The result of Step 3 is the matrixMF of thep-th power Frobenius map acting onB. The ordering of the indices J is chosen in such a way that the d−1 byd−1 blocks are grouped into larger blocks reflecting the cyclic action of multiplication by q modulor. These larger blocks form a block diagonal matrix:

for each cycle of lengthc, there is a block of sizec(d−1). In Step 4, we compute the

matrixM of the q-th power Frobenius map acting onB from MF using Equation (3.10) and using the block structure ofMF. Note that the resulting matrixM has the same block structure. We then compute its characteristic polynomial up to pre- cisionN0. Again, we use the block structure ofM. Finally, in Step 5 we compute the extra factor U using Theorem 4.1 and we then return the Weil polynomial of C.

Algorithm 1CyclicCoverWeilPolynomial

Input: Cyclic cover C of genus g over F_q, with q = pⁿ, defined by the equation y^r=f(x), withf a monic, squarefree degreedpolynomial.

Output: The Weil polynomialP(t) ofC. Step 1: Precision bounds:

Computeδ:= gcd(r, d);

N0:=l log_p

2 ^2g_g q^g/2m

; N := minn

n−

log_p(p(rn−1)−r)

≥N0+j

log_pdp(r−1)+r

δ

k|n∈No

; Step 2: Compute F(y)⁻¹modp^N:

R:= 1 + (F(f(x))−f(x)^p)τ^p; // whereτisy^−r andf is an arbitrary lift off toZq.

S :=R^−1r; //F(y)⁻¹=y^−pS

Step 3: Action of Frobenius on B :

//where B=n x^{i dx}

y^j |i∈[0, d−2], j∈[1, r−1]o .

ComputeJ as the sequence [1, r−1] sorted in cycles under the action of multi- plication by qmodr. //We haveJ[i+ 1] =qJ[i] modr.

forj in J do

fori= 0 tod−2 do

ω:=px^p(i+1)−1S^jτ^jpr−ℓdx_yℓ; // whereℓ=jpmodr.

//ω=F x^{i dx}_yj

has the formP

0≤k≤µRk(x)τ^{k dx}_yℓ,whereµ=pN−1.

Red:=ReductionCohomology(C, N, ω);

//Then, fill the matrix

fork= 0 tod−2 do

MF[(d−1)(j−1) +i+ 1][(d−1)(ℓ−1) +k+ 1] := Coeff(k,Red);

end for end for end for

Step 4: Compute the characteristic polynomial:

M :=MF.M_F^σ. . . M_F^σn−1; //Use the block structure ofMF to speed up the computation of M

χ(t) :=χM(t) modN0; //Use the block structure ofMto speed up the computation ofχ

Step 5: Remove the extra factor:

U(t) :=Q

i|δ , i>1(t^ki−q)

ϕ(i)

ki ,where ki := min{n∈N:ϕ(i)|qⁿ−1}; return P(t) := _U(t)^χ(t);

5. Complexity

In this section, we describe the space and time complexity of Algorithm 1 as a function of the parameters p, n, r and d and we show that this complexity is linear in p and polynomial in n, r and d (in particular, it is polynomial in the genus). We use the Soft-oh notation so that the logarithmic terms are not taken into account. We let 2 < ν < 3 be the exponent such that the complexity of multiplying two square matrices of sizek over a ring RisOe(k^ν) operations in R

Algorithm 2ReductionCohomology

Input: A lift of a cyclic coverC:y^r=f(x) toZ_q up to precisionN, with q=pⁿ, and f a monic, squarefree degree d polynomial, precision N, differential form ω=P

0≤k≤µRk(x)τ^{k dx}_yℓ.

Output: A differential formT(x)^dx_yℓ equivalent to ω, with deg(T)≤d−2.

Step 1: Reduce degree in τ, that is, transform ω to S(x)^dx_yℓ:

// At each iteration, we reduce the degree inτ by at least one.

fork=µto 1do

ComputeAkandBksuch thatRk =Akf+Bkf^′, using the extended Euclidean algorithm. //f is an arbitrary lift off toZq.

Replace the term Rk(x)τ^{k dx}_yℓ inω with

Ak(x) +_r(k−1)+ℓ^r B_k^′(x)

τ^k−1dx_yℓ. end for

Step 2: Reduce the degree in x, that is, transformS(x)^dx_yℓ toT(x)^dx_yℓ, with deg(T)≤d−2:

T :=S;

m:= deg(T);

while m≥d−1do

Te:=r(m−d+ 1)x^m−df(x) + (r−ℓ)x^m−d+1f^′(x);

Te:= ^LC(T)

LC(Te)Te; //LC is the Leading Coefficient

T :=T−Te; m:= deg(T);

end while return T(x)^dx_yℓ;

(using the Coppersmith–Winograd algorithm, for example). We letsbe such that the permutation j7→qjmodr of{1,· · ·r−1} is a product of scycles of lengths c1, c2,· · · , cs.

Proposition 5.1. With the notation above, the Weil polynomial of a cyclic cover C : y^r = f(x) defined over F_pn, with f of degree d can be computed using Algorithm 1 in time O pne ³d⁴r³+n²rd^ν+1(Ps

i=1c^ν_i)

elementary operations and spaceO pne ³d³r²+n²d³r Ps

i=1c²_i

bits of memory.

Proof. We first describe the bit size of the different objects. An element of Z_q is represented by a polynomial of degreen−1 with coefficients inZ_ptruncated to precisionN, so it has sizeO(nNlog(p)) =Oe(nN). An element ofH_MW¹ (C,Q_q) is represented by a degree µ=O(pN) polynomial in τ whose coefficients are poly- nomials overZ_q of degree less thand, so it has sizeO pndNe ²

.

Thanks to Sch¨onhage and Strassen, the multiplication between two integers of bit-size k isOe(k) elementary operations [vzGG03]. Hence, the complexity of multiplying two elements of Zq is Oe(nN) elementary operations and the cost of multiplying two elements of H_MW¹ (C,Q_q) isO pndNe ²

elementary operations.

Recall that we normalize the elements of H_MW¹ (C,Q_q) at each step using the equation of the curve, so we need to calculate the complexity of the normalization.

This procedure is described in [GG03, vzGG03], so we will not go into further detail here. If we want to normalize Q(x)τ^k, then it costs Oe(deg(Q)) operations in Z_q so the complexity of the normalization step is Oe(nNdeg(Q)) elementary operations.

We compute the Frobenius substitution on Z_q by a Newton iteration and H¨orner’s method: if z = Pn−1

k=0zkt^k is an element of Z_q then z^σ=Pn−1 k=0zkt^σk where t^σ is computed using a Newton iteration. The complexity of the Newton algorithm is determined by the last iteration, which costs O(n) operations in Z_q, that is O ne ²N

elementary operations. H¨orner’s method costs O(n) operations in Z_q, that is,O ne ²N

elementary operations. Hence, we compute the Frobenius substitution onZ_q inO ne ²N

elementary operations.

In Step 2 of Algorithm 1, we compute the inverse ofF(y) by a Newton iteration.

We first computeR, by computing the polynomialF(f(x))−f(x)^pof degreepd. We then normalize R which costs Oe(nNdeg(R)) =Oe(nN pd) elementary operations.

We then apply the Newton algorithm toR in order to computeS as the inverse of itsr-th root. The complexity of the Newton algorithm is a constant times the cost of its last iteration which consists of some multiplications between two elements of H_MW¹ (C,Qq) and a normalization. The cost of the Newton iteration is therefore O pndNe ²

elementary operations. So the cost of Step 2 isO pndNe ²

elementary operations. This step requiresO pndNe ²

bits of memory.

In Step 3 of Algorithm 1, we first compute S^j which costs O pndNe ² ele- mentary operations. We then apply a normalization to px^p(i+1)−1S^j which costs Oe(pdnN) elementary operations in the worst case. Then we perform the reduction steps using Algorithm 2. In Step 1 of Algorithm 2, we doµiterations: each time we computeAk andBk using the extended Euclidean algorithm, which costsO(d) op- erations inZ_q, that isOe(dnN) elementary operations. Then we replace the term in ω of highest degree inτ by performingdadditions inZ_q, which costsOe(ndN) ele- mentary operations. So the cost of Step 1 of Algorithm 2 isOe(µdnN) =O pdnNe ² elementary operations. During the second Step of Algorithm 2, we do deg(S)≤dp iterations which consists of d operations of elements of Z_q, so the cost of Step 2 in Algorithm 2 is Oe(dp×d×nN) = O pde ²nN

elementary operations and it requires O pndNe ²

bits of memory.

The complexity of reducing a differential form with Algorithm 2 is therefore Oe(pdnN(N+d)). As we need to reduceO(rd) differential forms, the complexity of Algorithm 2 isO pde ²nrN(N+d)

elementary operations, and since we reduce dif- ferential forms one by one, Algorithm 2 requiresO pndNe ²

bits of memory. Putting everything together, the complexity for Step 3 of Algorithm 1 isO pde ²nrN(N+d) elementary operations and it requiresO pndNe ²

bits of memory.

In Step 4 of Algorithm 1, we compute the matrix of the q-th power Frobe- nius. Recall that MF is a block diagonal matrix of sblocks matricesMF,i of size ci(d−1)×ci(d−1) for 1≤i ≤s. Note that MF,i is itself a block matrix, com- posed of ci blocks of size (d−1)×(d−1), with only one non zero block on each row partition and column partition. The matrixM is also a block diagonal matrix:

its blocks are the norms

Mi=MF,i·M_F,i^σ · · ·M_F,i^σn−1.

Each of the Mi can be computed using H¨orner’s method (and the sub-block struc- ture ofMF,i); this costsOe(ncid^ν) operations inZ_q and requiresO ce id²nN

bits of memory. The total cost of computingM is thereforeOe(n(Ps

i=1ci)d^νnN), that is, O ne ²rd^νN

elementary operations (becausePs

i=1ci=r) and requiresO rde ²nN bits of memory.

We then compute the characteristic polynomial ofM which is the product of the characteristic polynomials χMi of theMi. The complexity of computing the char- acteristic polynomial of a square matrix of sizekover a ringRisOe(k^ν) operations in R. Hence, computingχMi costsOe((cid)^ν) operations inZ_q. So, computingχM

costsOe((Ps

i=1c^ν_i)d^νnN) elementary operations and requiresOe Ps i=1c²_i

d²nN bits of memory.

The global cost of Step 4 is therefore Oe((nr+ (Ps

i=1c^ν_i))d^νnN) elementary operations and requires Oe Ps

i=1c²_i d²nN

bits of memory.

In Step 5 of Algorithm 1, we compute the polynomialU of degreeδ−1 over the integers. This corresponds to multiplying at most δ−1 binomials with coefficients no larger thatpⁿ. So this costsOe(nδ) elementary operations. We then divide the polynomial obtained in Step 5 byU, so Step 5 costs the equivalent ofO(g) =O(rd) operations inZq, that isOe(rdnN) elementary operations and requiresOe(rdN) bits of memory.

The total complexity of our algorithm is therefore Oe pndN²+pd²nrN(N+d) + nr+

Xs

i=1

c^ν_i

!!

d^νnN+rdnN

!

elementary operations and

Oe pndN²+d²nN Xs

i=1

c²_i

!!

bits of memory. Theorem 4.3 tells us thatN =Oe(ng) =Oe(nrd), so the complexity of our algorithm is

Oe pn³d⁴r³+n²rd^ν+1 Xs

i=1

c^ν_i

!!

elementary operations and

Oe pn³d³r²+n²d³r Xs

i=1

c²_i

!!

bits of memory.

Remark5.2. Note that ifq≡1 modr, thens=r−1 andci= 1 for 1≤i≤s, and hence the complexity of Algorithm 1 isO pne ³d⁴r³

, which is the better case.

Remark5.3. We can improve the complexity of this algorithm in larger charac- teristic to Oe √pn³d⁴r³+n²rd^ν+1(Ps

i=1c^ν_i)

, by applying Harvey’s improvements [Har07] to Kedlaya’s algorithm which were extended to superelliptic curves by Minzlaff [Min10]. Indeed, our algorithm is entirely compatible with Minzlaff’s im- provements and we can apply them to our algorithm. These improvements consist of two major key points. First, they use a different representation for the images of differential forms under the action of Frobenius: in Kedlaya’s algorithm, we use an approximation by series whose number of terms is linear in pwhereas Harvey’s improvements use a different series approximation which does not depend onp. Sec- ond, these improvements reduce the complexity of the reduction algorithm, which is the major step, by solving a linear recurrence using the Bostan–Gaudry–Schost algorithm [BGS07].

6. Bounds on precision

In this section, we give a proof of Theorem 4.3. In order to compute the Weil polynomial exactly, we need to take sufficient precision. The Weil bounds give us a minimal bound N0, but this bound is not sufficient since the divisions in the reduction algorithm (Algorithm 2) induce a loss of precision. Proposition 6.1 estimates the loss of precision during the first step of Algorithm 2, and Proposition 6.2 estimates the loss of precision during the second step of Algorithm 2.

Proposition6.1. IfRis a polynomial defined over Zq with degree less thand, then the first step in Algorithm 2 transforms R(x)τ^{k dx}_yℓ, with k >1, into S(x)^dx_yℓ, where S is a polynomial defined over Q_q with degree less than d. Moreover, the coefficients of S have denominator bounded byp⌊^{logp(r(k−1)+ℓ)}⌋.

Proof. We follow the approach of [Ked01, Lemma 2] and [Edi03, Lemma 4.3.4].

During the first step of Algorithm 2, we apply (3.8) several times. Hence, divi- sions byr(i−1) +ℓare done, which corresponds to negative powers ofyappearing during this step, for each 1≤i≤k, and positive powers ofpmay occur in denom- inators. It is then natural to look at what happens at the poles ofy⁻¹, that is the points Pi = (αi,0), with αi a root off in Z_q (note thatαi is a simple root off), in order to deduce what happens globally.

Let Q = Pk−1

j=1Qj(x)^τ_y^jℓ be such that R(x)τ^{k dx}_yℓ = S(x)^dx_yℓ +dQ, with Qj

defined overQ_q of degree less thand, for any 1≤j < k. Asαiis a simple root off, the function y is a uniformizing parameter for the local ringOPi, that is, the ring of functions on C regular at Pi. Thus, the weak completionO^†Pi ofOPi is Z_q[[y]].

We can then write dQand Qas series:

dQ= X

j≥−(r(k−1)+ℓ+1)

cjy^jdy

and

Q= X

j≥−(r(k−1)+ℓ+1)

cj

j+ 1y^j+1.

As cj coincides with the corresponding coefficient of R(x)τ^{k dx}_y when j < 0, it lies in Z_q. Hence, if we set m = p⌊^{logp(r(k−1)+ℓ)}⌋, then m_j+1^cj is integral (ie in Z_q) forj <0. Evaluating the coefficient ofy−(r(k−1)+ℓ)at a pole Pi ofy⁻¹ in the expressionQ = Pk−1

j=1Qj(x)^τ_y^jℓ gives

Qk−1(αi) = c−(r(k−1)+ℓ+1)

−(r(k−1) +ℓ),

somQk−1(αi) is integral. As this statement is independent of the pointPi chosen, it holds for any 1≤i≤d. Thus,mQk−1 (of degree less thand) is integral at each of theddistinct poles ofy⁻¹and it follows thatmQk−1is a polynomial defined over Z_q. The same argument applied toQ−Qk−1τ^k−1gives thatmQk−2is a polynomial defined overZ_q. By induction, all themQkare defined overZ_q. It follows thatmQ is integral and then mS is as well becauseS(x)^dx_y =R(x)^dx_y −dQ.

Proposition6.2. IfS is a polynomial defined overZq with degree m≥d−1, then the second step in Algorithm 2 transforms S(x)^dx_yℓ intoT(x)^dx_yℓ, whereT is a polynomial defined over Q_q with degree less than d−1. The coefficients ofT have denominator bounded byp⌊^logp(^r(m+1)δ ^−ℓd)⌋.

Proof. We follow the approach of [Edi03, Lemma 4.3.5].

During the second step of Algorithm 2, we apply (3.9) several times. As we divide by the leading coefficient of the polynomial given in (3.9), positive powers of p may occur at the denominators, which corresponds to positive powers of x appearing in this step. Hence we study what happens at the poles ofx, that is the points at infinityP∞,k= [1 :ζ_r^k : 0] ofC, with 1≤k≤δ.

Let v∞,k denote the valuation at P∞,k. Let Q = Pm

i=d−1raix^i−d+1y^r−ℓ be such that S(x)^dx_yℓ = T(x)^dx_yℓ +dQ. Then v∞,k(x) = −^rδ, v∞,k(y) = −^dδ so v∞,k(dx) =−^r+δ_δ . Moreover,v∞,k

dx y^ℓ

= ^{ℓd−r−δ}_δ so

v∞,k(Q)≥ℓd−r(m+ 1) δ and

v∞,k

Tdx

y^ℓ

≥ ℓd−r(d−1)−δ

δ .

Letzk be a local uniformizer atP∞,k, so thatOP∞,k isZ_q[[zk]]. Then we have the following expansion inZ_q[[zk]]:

dQ= X

j≥^{ℓd−r(m+1)}_δ −1

cjz_k^jdzk

and

Q= X

j≥^{ℓd−r(m+1)}_δ −1

cj

j+ 1z^j+1_k . Letm=p⌊^logp(^r(m+1)δ ^−ℓd)⌋. Asv∞,k(T^dx_yℓ)≥ −r(d−1)−ℓd+δ

δ , then the cj are in Z_q forj≤ −(r(d−1)−ℓd+δ)/δ−1 =−(d(r−ℓ) + 2δ−r)/δ since they coincide with the coefficients of S, som_j+1^cj is inZq forj≤ −(d(r−ℓ)+2δ−r)

δ .

As all thev∞,k(x^{i dx}_yℓ) are distinct and less than ℓd−r−δ−r(d−1)

δ ≤ −d(r−ℓ)+2δ−r δ

ford−1≤i≤mandℓ >0, it follows that all the termsmQj are in Zq[x].

Since the previous statements are independent ofk, they hold for any point at infinity ofC. HencemQis inZ_q[x], andmT is inZ_q[x] too.

The two previous propositions estimate the loss of precision resulting from the reductions. Recall that we are working with p-adic elements up to precision N, and that every element of A^† is an overconvergent series, that is a series whose coefficients have p-adic valuation which grows at least linearly. This means that for any 0 ≤i≤d−2 and 1 ≤j ≤r−1,F

xⁱdx y^j

is a power series of the form P

k≥0Fkτ^k and there exists µsuch thatvp(Fk) is greater than p^N, for allk > µ.

Thus in practice, all the computed series are in fact polynomials of degree at most µ inτ.

Proof of Theorem 4.3. The Weil bounds state that, if we put N0=

log_p

2

2g g

q^g/2

,

then N0is the minimal precision we have to take to compute the Weil polynomial exactly. We also have to take into account all the digits lost by the divisions done during the reduction steps.

LetN be the total precision we must take to compute the zeta function exactly, and N1 the intermediate precision we must take to do the first reduction step up to precisionN1. We will determineN as a function ofN1 andN1 as a function of N0to recoverN as a function ofN0.

Let µ denote the integer such that the vp(Fk) are greater thanN for k > µ (they are zero modulo p^N).

Using the expression of the action of Frobenius on vectors ofB given by (3.7), we find that the integerµwe want to determine is such that ^k−a_p + 1≥N fork > µ and ^µ−a_p + 1< N, so

µ=p(N−1) +a−1.

Note that a < p, since a is the quotient in the division of jp byr, and that j ≤r−1. Hence,µ < pN−1.

To determine N, let us have a look at what happens during the reductions.

Proposition 6.1 says that we lose

log_p(r(k−1) +ℓ)

digits of precision during the first step of Algorithm 2, when we reduce Qkτ^{k dx}_yℓ with deg(Qk)< d. We want to takeNas small as possible such that after this first step of reduction, there remains N1digits of precision for the second step of Algorithm 2, that is, such that (6.1) ^k−a_p + 1−

log_p(r(k−1) +ℓ)

≥N1 for k > µ (here N appears in the expression ofµ).

The functiong: [µ+1, +∞)→Rmappingkto the left hand side of Inequality (6.1) is strictly increasing; so we take the smallestN such thatg(µ+ 1)≥N1. We find that N is the minimal integer satisfying

(6.2) N−

log_p(p(rN −1)−r)

≥N1.

In order to determine N1, consider what happens during the second step of Algorithm 2: the terms contributing to the loss of precision during this step are those with degree 0 in τ, that is, the polynomials with degree in x greater than d−2. For 1≤i≤d−2 and 1≤j≤r, we have

F

xⁱdx y^j

=X

k≥0

−j/r k

p^k+1E^kx^p(i+1)−1τ^pk+adx y^ℓ

and i = d−2 at worst, so deg(E^kx^p(d−1)−1) ≤ k(pd−1) +p(d−1)−1. As

k(pd−1)+p(d−1)−1

d <(k+ 1)p, we can write −j/r

k

p^k+1E^kx^p(i+1)−1τ^pk+a= X

a−p<j<pk+a

cj,kτ^j,

so the degree inxof the constant term ofF x^{i dx}_y

is at mostd(p − a).

Proposition 6.2 says that the number of digits lost during this second step is

log_p

r(d(p−a) + 1)−ℓd δ

.

Since jp = ar + ℓ, we lose j

log_pdp(r−j)+r

δ

k ≤ j

log_pdp(r−1)+r

δ

k digits.

Hence,

(6.3) N1=N0+

log_p

r(dp+ 1)−d δ

.

Let us put these two parts together. Combining Equations (6.2) and (6.3), we should take

N = min

n∈N

n−

log_p

p(rn−1)−r

≥N1

= min

n∈N

n−

log_p

p(rn−1)−r

≥N0+

log_pdp(r−1) +r δ

.

7. The choice of the set of differentials

In Step 5 of Algorithm 1 we compute the norm M of the matrix of Frobenius MFwith respect toB, and in Step 6 we compute its characteristic polynomialχ(t).

IfMF has coefficients with denominators (coefficients inQ_q\Z_q), then it is difficult to control the valuation of these denominators in the norm, and worse, we have to enlarge the precision bounds to recover the Weil polynomial exactly by a number of digits that is hard to estimate.

So, it would be ideal ifMF was guaranteed to have coefficients inZ_q. Propo- sition 7.1 tells us whetherMF has integral coefficients or not.

Proposition7.1. Let 0≤i≤d−2 and1≤j ≤r−1.

• The first step in Algorithm 2, applied to F(x^{i dx}_yj), computes a differen- tial form whose coefficients have denominators of valuation bounded by log_p(r)

.

• The second step in Algorithm 2, applied to F(x^{i dx}_yj), computes a differ- ential form whose coefficients have denominators of valuation bounded by jlog_p2g+(δ−2)

δ

k .

Proof. In this proof, we follow the approach of [Har12, Lemma 3.4].

Recall that F

x^{i dx}_yj

= x^p(i+1)−1P

k≥0

−j/r k

E^kp^k+1τ^{pk+a dx}_yℓ

= x^p(i+1)−1P

k≥ap^k

−a p +1

Qk(x)τ^{k dx}_yℓ,

where jp=ar+ℓ. Lemma 6.1 shows that after the first step in Algorithm 2 the valuation inpof the coefficients have the form:

(7.1) k+ 1−

log_p(r(pk+a−1) +ℓ)

≥k−

log_p(kr+j) .

Let g be the function defined on [0,+∞) by g(x) =k−log_p(kr+j). Since g is strictly increasing, the right hand side is maximal when k= 0, which implies that the left hand side in Inequality 7.1 is greater than⌊log_p(j)⌋ ≤ ⌊log_p(r)⌋.

Now consider the terms p^k−pa+1Qk(x)x^p(i+1)−1τ^{k dx}_yℓ appearing in the second step of Algorithm 2. After normalizing the coefficients, each term will be expressible in the formS^dx_yℓ, with

deg(S) =p(i+ 1)−1 + deg(Qk)−dk.

After the second step in Algorithm 2, the denominators are bounded by A=

log_p

rp(i+ 1) +rdeg(Qk)−rkd−ℓd δ

−1−k−a p

Since Qa = 1 and deg(Qk) < d for any k > a, this expression is maximal when k=a, which gives

A≤

log_p

rp(i+ 1)−(ra+ℓ)d δ

−1.

As jp = ar+ℓ, we can express the right hand side of the inequality as jlog_pr(i+1)−jd

δ

k, which is less than j

log_{pd(r−1)−r}

δ

k. Relation 2.2 allows us to replaced(r−1) with 2g+ (δ−2).

Hence, the denominators of the coefficients ofMF are bounded by

log_p

2g−(δ−2) δ

.